Multiple IP - basic questions

  • Hi,

    I'm trying to get some webhosting stuff on my Debian machine running. But I have some Problems with SSL - because each SSL needs its owen (dedicated)public IP. so I admitted that I have to come away from my conservative NAT.

    But the question is how to solve that in my pfSense? Do I have to Disable NAT in "Firewall–>--NAT-->--Outbound--> and change it to "Enable advanced outbound NAT""??


    do I easily have to leave my current NAT forwardet Ports and only add the new dedicated public IP address into "Firewall: NAT: 1:1: Edit" and forward it to an virtual internal IP address of my Debian Server?

    or do I have to do both?
    It would be nice to give some examples ;-)

    Thanks for helping!



  • 1:1 nat is a combination of portforwards and outbound nat. Unless you want to have individual ports of the same public IP going to different internal servers I would go with 1:1 nat.

    • delete the portforwards that you now have in place (1:1 nat will take care of this)
    • setup Virtual IPs for the additional public IPs (firewall>virtual IPs)
    • create 1:1 nat's for the public IPs and the internal hosts (firewall>nat, 1:1 nat)
    • create firewallrules for the allowed traffic (firewall>rules, wan; destination is the internal hosts IP)

    save and apply.

  • allright-thats nearly what I guessed - but anyway this is new territory so I need some easy help with some examples step by step …:


    How should my pfsense look like if my internal webserver IP would be the and the virtual public IP which I got from my ISP would be the (T-COM)
    (I use one WAN and one LAN)

    Step by Step …. :

    1. deleting all my NAT entries in the port forarding table … pfsense like a newly installed one without anything configured except the WAN for my ISP connection (PPPoe to T-COM)

    2. Setting up Virtual IP address:

    • does Proxy ARP, CARP and other mean? - Does somebody maybe have some external links for a good German or English description?

    my ISP is German T-COM and I guess I have to chose proxy arp - so this is what I would type in:

    Type                       Proxy ARP
    Interface 	          WAN
    Type:   	           single addres
    Virtual IP Password      -left blank-
    VHID Group              -left blank-
    Advertising Frequency   -left blank-
    Description              my first virtual IP

    save & applay …. allright ...

    3. create 1:1 nat's for the public IP
    (you have to know that my internal webservers address is and the public IP which I want to forward to the webserver is still the ;-)

    so I open the 1:1 option in my webinterface… and that's how I would type it in ...:

    Interface                 WAN
    External subnet
    Internal subnet
    Description             my first forwarded IP

    save & applay  ^^ doesn't work ;-) need some help

    (by the way .. I didn't change anythin in Outbound meanwhile … the whole pfsense is configured by default ... hope that's allright ;-) ... )

    ... let's theoreticaly go on anyway ...

    4. create firewallrules for the allowed traffic - that's how I would do it … please tell me if I'm wrong with something or if anything looks weired ;-) in the end I want to have an open Port 80 for my webserver which is reachable from outside if i type in the IP in my webbrowser … I think you understand ;-)

    Firewall: Rules --> WAN ---> + (to add a new rule)

    Action    Pass
    Disabled    left unticked
    Interface   WAN
    Protocol    TCP
    Source      checkbox is left unticket
    Type          Single host or alias
    Source OS    -left on "any"-
    Destination   not is left unticket
    Type          Single host or alias
    Destination port range:
    from 80
    to: 80
    Log:                      -left unticket-
    Advanced Options    -I didn't change anything there ...-
    State Type             -I didn't change anything there ...-
    No XMLRPC Sync    -left unticket-
    Gateway          default
    Description:        my first http portforwarding for virtual IP

    Would I be ready for using it now or is something missed or wrong except the entries in 1:1 which I hope to get help from anybody of you… ;-) ?

    And that should be my result if everything's running:

    Webbrowser (typed in:>(>(

    I hope I wrote it understandable ;-)

    Thanks to everybody who is developing and making pfsense better and easier for everybody!!!!! respect!!


  • If you are using NAT 1:1 then the Outbound should be empty. I am trying to do the same thing as you but my pfSense is also doing load balancing. So far I haven't got the NAT to work right. But I just reconfigured it and it seems to be working (no error massages yet). Only time will tell.

  • isn't my Outbound empty if I reinstall it completly new and let it configured by standart?

    and what about my 1:1 how I wrote it in the example in my 2nd thread above….. something is wrong with the IPs/Subnets ?!

    Could anybody please give me a clue?

    Thanks a lot!


  • Can you give us some details about your WAN setup and all WAN public IPs that you have (real interface IP and virtual IPs, type of WAN conection)?

    For the different virual IP types:


    • Can be used by the firewall itself to run services or be forwarded
    • Generates Layer2 traffic for the VIP
    • Can be used fo clustering (master firewall and standby failover firewall)
    • The VIP has to be in the same subnet like the real interfaces IP


    • Can not be used by the firewal itself but can be forwarded
    • Generates Layer2 traffic for the VIP
    • The VIP can be in a different subnet than the real interfaces IP


    • Can be used if the Provider routes your VIP to you anyway without needing Layer2 messages
    • Can not be used by the firewall itself but can be forwarded
    • The VIP can be in a different subnet than the real interfaces IP

    Hope that helps a bit.